<html>
<head><meta charset="utf-8"><title>obtaining crates.io tokens from subprocesses · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/obtaining.20crates.2Eio.20tokens.20from.20subprocesses.html">obtaining crates.io tokens from subprocesses</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="171493179"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/obtaining%20crates.io%20tokens%20from%20subprocesses/near/171493179" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/obtaining.20crates.2Eio.20tokens.20from.20subprocesses.html#171493179">(Jul 23 2019 at 06:29)</a>:</h4>
<p>interesting RFC <a href="https://github.com/rust-lang/rfcs/pull/2730" target="_blank" title="https://github.com/rust-lang/rfcs/pull/2730">https://github.com/rust-lang/rfcs/pull/2730</a></p>



<a name="171493258"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/obtaining%20crates.io%20tokens%20from%20subprocesses/near/171493258" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/obtaining.20crates.2Eio.20tokens.20from.20subprocesses.html#171493258">(Jul 23 2019 at 06:31)</a>:</h4>
<blockquote>
<p>An alternative with better user experience but more limited customization would be for Cargo to provide cross platform, native integration with the most popular secret storages, for example the system keyring</p>
</blockquote>



<a name="171583681"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/obtaining%20crates.io%20tokens%20from%20subprocesses/near/171583681" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Luca Bruno <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/obtaining.20crates.2Eio.20tokens.20from.20subprocesses.html#171583681">(Jul 24 2019 at 07:10)</a>:</h4>
<p><a href="https://github.com/hwchen/keyring-rs" target="_blank" title="https://github.com/hwchen/keyring-rs">https://github.com/hwchen/keyring-rs</a> supports OS-provided user keyrings on Linux/MacOS/Windows.</p>



<a name="171640970"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/obtaining%20crates.io%20tokens%20from%20subprocesses/near/171640970" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/obtaining.20crates.2Eio.20tokens.20from.20subprocesses.html#171640970">(Jul 24 2019 at 20:35)</a>:</h4>
<p>Is the whole thing still based on shared symmetric secrets, where it is almost easier to send the shared secret to the wrong registry than it is to correctly configure the registry you want?</p>



<a name="171641129"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/obtaining%20crates.io%20tokens%20from%20subprocesses/near/171641129" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/obtaining.20crates.2Eio.20tokens.20from.20subprocesses.html#171641129">(Jul 24 2019 at 20:38)</a>:</h4>
<p>it's a bearer credential, and not a pubkey, yes</p>



<a name="171641180"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/obtaining%20crates.io%20tokens%20from%20subprocesses/near/171641180" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/obtaining.20crates.2Eio.20tokens.20from.20subprocesses.html#171641180">(Jul 24 2019 at 20:38)</a>:</h4>
<p>cargo tokens, that is</p>



<a name="171641824"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/obtaining%20crates.io%20tokens%20from%20subprocesses/near/171641824" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/obtaining.20crates.2Eio.20tokens.20from.20subprocesses.html#171641824">(Jul 24 2019 at 20:46)</a>:</h4>
<p>My view is that this design was only temporarily acceptable when there was one registry (<a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a>) and now it's untenable. I thought the previous issues already made this pretty clear. Everybody running a custom registry probably has an OAuth provider that they'd prefer to delegate authentication to, which also supports 2FA, AFAICT.</p>



<a name="171642247"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/obtaining%20crates.io%20tokens%20from%20subprocesses/near/171642247" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/obtaining.20crates.2Eio.20tokens.20from.20subprocesses.html#171642247">(Jul 24 2019 at 20:52)</a>:</h4>
<p>there are a few threads discussing alternative authentication methods. lots of people said they were going to work on a (Pre-)RFC, but so far I haven't seen one</p>



<a name="171696952"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/obtaining%20crates.io%20tokens%20from%20subprocesses/near/171696952" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/obtaining.20crates.2Eio.20tokens.20from.20subprocesses.html#171696952">(Jul 25 2019 at 14:37)</a>:</h4>
<p>TIL <a href="https://github.com/rust-lang/rfcs/pull/2730#issuecomment-515068373" target="_blank" title="https://github.com/rust-lang/rfcs/pull/2730#issuecomment-515068373">https://github.com/rust-lang/rfcs/pull/2730#issuecomment-515068373</a></p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>